There is growing recognition that technology alone will not provide
all of the solutions to security and privacy problems. Human factors
play an important role in these areas, and it is important for
security and privacy experts to have an understanding of how
people will interact with the systems they develop. This course is
designed to introduce students to a variety of usability and user
interface problems related to privacy and security and to give them
experience in designing studies aimed at helping to evaluate usability
issues in security and privacy systems. The course is suitable both
for students interested in privacy and security who would like to
learn more about usability, as well as for students interested in
usability who would like to learn more about security and
privacy. Much of the course will be taught in a graduate seminar
style in which all students will be expected to do a weekly reading
assignment and each week different students will prepare a
presentation for the class. Students will also work on a group project
throughout the semester.

Readings will be assigned from the following texts (available in the
CMU bookstore and from all the usual online stores). Additional
readings will be assigned from papers available online or handed
out in class.

Additional readings will be assigned from the course reading
list. Most of these readings are in papers available online. In cases
where a subscription is required for access, access should be
available for free when you are coming from a CMU IP address (on
campus or via CMU VPN).

Homework 3 due - Reading summaries from 9/13 and 9/15; Analyze
class password survey data (do not do entropy estimates) and compare these results with Shay et
al 2010, discuss how well the class study replicated the original
paper and what might account for any differences in results (counts as extra homework) [+ summary
of 1 optional reading]

You are responsible for being familiar with the university
standard for academic honesty and plagiarism. Please see the CMU
Student Handbook for information. In order to deter and detect
plagiarism, online tools and other resources may be used in this
class. Students caught
cheating or plagiarizing will receive no credit for the assignment
on which the cheating occurred. Additional actions -- including
assigning the student a failing grade in the class or referring the
case for disciplinary action -- may be taken at the discretion of
the instructor.

For students taking the 12-unit version of this course, your final grade in this course will be based on:

40% Project

35% Homework

15% Presentation

10% Class participation

For students taking the 9-unit version of this course, your final grade in this course will be based on:

40% Project

50% Homework

10% Class participation

Homework

Homework assignments for this class will include reading summaries
as well as written assignments. All homework is due in printed form
in class at 3:00
pm each Thursday (unless otherwise specified). Homework submitted after 3:15 pm will be considered late. Homework will be graded as check-plus (100%), check (80%),
check-minus (60%) or 0. If you turn in a complete assignment but
provide no interesting insights you will get a check. To earn a
check-plus requires that you complete the assignment and provide
insightful comments. Late homework will receive one grade lower than it would have otherwise received if it is submitted no later than at the beginning of the next class meeting (after that it will not be accepted). Your two lowest homework grades will be
dropped from your homework average.

Students are expected to do reading assignments prior to class so
that they can participate fully in class discussions. Students must
submit a short summary (3-8 sentences) and a "highlight" for each
chapter or article in the reading assignment. The highlight may be
something you found particularly interesting or noteworthy, a
question you would like to discuss in class, a point you disagree
with, etc.

Students taking the 12-unit version of this course are expected to include a summary and highlight
for one optional reading of their choice each week. Suggested
optional readings are provided, but students may choose other
relevant optional readings. All other students are encouraged to
review some of the optional readings that they find interesting, but
they need not submit summaries or highlights of the optional
readings.

Presentation

Each student taking the 12-unit version of this course will be assigned a class lecture to
prepare and present (either individually or with a small group of
other students). The lecture should be based on the topics
covered in that week's reading assignment, but it should go beyond
the materials in the required reading. Do not present a lecture that simply summarizes the assigned reading. For example, you might read and
present some of the related work mentioned in the reading or that
you find on your own (the HCISec Bibliography is a
good starting point for finding papers), you might
present some of the relevant optional reading materials (feel free to use relevant materials from other weeks), you might
demonstrate software mentioned in the reading, you might critique
a design discussed in the reading, or you might design a class
exercise for your classmates. If the material you present describes a user study, include a detailed description and critique of the study design. As part of your lecture you
should prepare several discussion questions and lead a class
discussion. You should also introduce your fellow students to
terminology and concepts they might not be familiar with that are
necessary to understand the material you are presenting. You should
email to the instructor a set of PowerPoint slides including
lecture notes and discussion questions. These slides will be posted
on the class web site. In addition, the instructor may include all
or part of your presentation slides and notes in an instructor's
guide for future usable privacy and security
courses.

Project

Students will work on semester projects in small
groups that include students with a variety of areas of
expertise. A choice of projects will be provided and students will
be given an opportunity to indicate their preferences before
projects are assigned. Students who have their own ideas for projects should
discuss them with the instructor early in the semester.
As part of the project students will:

Return their project preference form by September 27 so
that they can be assigned to a project by September 29.

Submit a one-page project proposal by October 11. The
proposal should describe the system you propose to design or
evaluate, discuss what you hope to learn from your user study and/or
the hypotheses you plan to test, and provide and overview of your
preliminary user study plan (what types of tasks will you have
participants do? what types of people will you recruit? will you use
a finished software product, prototype, paper prototype, etc. in
your user study? will this be a between-subjects or within-subjects
study? will you conduct your study online, in a lab, with paper
surveys?)

Complete an IRB application with all necessary attachments and submit it to IRB as early in the semester as possible.

Pilot test the user study protocol on at least two people (can be members of the
class from other project groups) and refine it based on these tests
(or other similar piloting as appropriate if this is not a lab study).

Give a 10-15 minute progress report presentation on November 1
or 3.

Submit a written progress report by November 1. Your written progress report and presentation should describe your progress to date and any problems you have run into that you would like some advice on. In addition, the written report should include a revised user study plan and the details of your initial pilot user study, including the study design and scripts (and results if you have already completed the initial study)

Conduct a study using the revised protocol with at least
6 subjects (or more if this is not a lab study). (Optionally, you can conduct a larger study that would be likely to lead to publishable results. If your study has only 6 subjects, most likely this will be useful mostly as a pilot study, and should be positioned as such in your paper.)

Give a 15-minute final project presentation during the final exam period.

Write a paper giving an overview of the proposed study, what
you hope to learn from it, what you learned from the pilot study,
etc. and submit it by TBA in both electronic and printed form. Your IRB forms, survey forms,
etc. should be included as appendices.

Students are encouraged to submit their project to the Symposium On Usable Privacy and
Security as either a paper or poster. A paper submission will
likely require some additional work after the end of the
semester. To submit a poster will require only submitting a 2-page
abstract. The instructor will provide funds for one student from
each project team to attend the SOUPS conference if their paper or
poster is accepted.

Students signed up for the 12-unit version of this course are expected to play a leadership
role in a project group and write a project paper suitable for
publication. Unless your group has only students signed up for the
9-unit course in it, that
means your final paper should be written in a style suitable for
publication at a conference or workshop. The conference papers in
the optional readings provide some good examples of what a
conference paper looks like and the style in which they are
written. In addition to describing what you did in your study, your
paper should include a related work section and properly-formatted
references. Papers should follow the SOUPS 2011
technical papers formatting instructions. If you have identified an
alternative relevant conference and would prefer to use that
conference's submission format for your paper, please discuss it
with the instructor.